DESCRIPTION

This PowerShell Runbook (compatible with PowerShell Core) connects to Azure and Azure Active Directory using an Automation Run As account, retrieves all app registrations within the tenant and sort them as Active (if credentials have not expired yet) or Expired (if credentials have already expired). The output is displayed within the output stream and in a CSV file stored in container within a storage account which will be created for this purpose. You can attach a recurring schedule to this runbook to run it at a specific time.

REQUIRED

1. An Automation connection asset called AzureRunAsConnection that contains the information for connecting with Azure using a service principal and Application Administrator right on the tenant to list all App Registrations. To use an asset with a different name you can pass the asset name as a input parameter to this runbook.

2. A storage account name that follows your naming convention and Azure naming restrictions.

3. A container (part of the specified storage account) name that follows your naming convention and Azure naming restrictions.

4. The name of the location that will host the storage account.

3. The name of the resource group that will host the storage account.

4. All the following PowerShell modules are required to run the cmdlets : Az.Accounts, Az.Storage, AzureAD and Az.Automation.

AUTHOR

Farouk FRIHA

LAST EDIT

2019-05-08

RELEASE NOTES

2019-05-08 First release

RUNBOOK CONTENT

 

PowerShell
Edit|Remove
#-------------------------------------------------------------[Parameters]------------------------------------------------------ 
 
Param ( 
 
    [Parameter(Mandatory=$true)]   
    [String]$StorageAccountName, 
 
    [Parameter(Mandatory=$true)]   
    [String]$ResourceGroupName, 
 
    [Parameter(Mandatory=$true)]   
    [String]$ContainerName, 
 
    [Parameter(Mandatory=$true)]   
    [String]$Location 
) 
 
#---------------------------------------------------------[Initializations]----------------------------------------------------- 
 
$ErrorActionPreference = "Continue" 
$credsInventory = @() 
$path = "AppsWithCredentials-" + (Get-Date).ToString("MMddyyyy"+ ".csv" 
 
#----------------------------------------------------------[Functions]---------------------------------------------------------- 
 
Function Sort-Credentials ($App$Creds$Owner$CredsType) 
{ 
    if((Get-Date-gt $($creds.EndDate)) 
    { 
        $Status = "Expired" 
    } 
    else 
    { 
        $status = "Active" 
    } 
 
    $output += [PSCustomObject] @{ 
        Name = $app.DisplayName 
        ObjectId = $app.ObjectId 
        AppId = $app.AppId 
        Crendentials = $credsType 
        Start = ($creds.StartDate).ToString("MM/dd/yyyy") 
        End = ($creds.EndDate).ToString("MM/dd/yyyy") 
        Owner = $owner.DisplayName 
        Publisher = $owner.PublisherName 
        Contact  = $owner.UserPrincipalName 
        Status = $Status 
 
    } 
 
    return $output 
} 
 
#----------------------------------------------------------[Execution]---------------------------------------------------------- 
 
try 
{ 
    ## Authentication 
    Write-Output "" 
    Write-Output "------------------------ Authentication ------------------------" 
    Write-Output "Logging in to Azure and Azure AD ..." 
 
    $Conn = Get-AutomationConnection -Name AzureRunAsConnection 
     
    $null = Connect-AzureAD ` 
                    -TenantId $Conn.TenantID ` 
                    -ApplicationId $Conn.ApplicationID ` 
                    -CertificateThumbprint $Conn.CertificateThumbprint 
 
    # Ensures you do not inherit an AzContext in your runbook 
    $null = Disable-AzContextAutosave -Scope Process 
     
    $null = Connect-AzAccount ` 
                    -ServicePrincipal ` 
                    -Tenant $Conn.TenantID ` 
                    -ApplicationId $Conn.ApplicationID ` 
                    -CertificateThumbprint $Conn.CertificateThumbprint 
 
    Write-Output "Successfully logged in to Azure and Azure AD."  
}  
catch 
{ 
    if (!$Conn) 
    { 
        $ErrorMessage = "Service principal not found." 
        throw $ErrorMessage 
    }  
    else 
    { 
        Write-Error -Message $_.Exception 
        throw $_.Exception 
    } 
} 
## End of authentication 
 
## Get all Azure AD applications 
try 
{ 
    Write-Output "" 
    Write-Output "------------------------ Status ------------------------" 
    Write-Output "Getting all Azure AD applications ..." 
 
    $apps = Get-AzureADApplication 
     
    Write-Output "Done." 
    Write-Output "Formatting output ..."